No non-creepy way to create a Gratipay account?

[ghost]

Currently, Gratipay allows would-be Gratipay participants to choose from the following authentication providers in order to create Gratipay accounts:

• Twitter
• GitHub
• Google
• Bitbucket
• OpenStreetMap

Only one of these - OpenStreetMap - is not proprietary SaaSS. I.e. there's only one potentially non-creepy authentication option.

Moreover, attempting to create a Gratipay account using these services results in Gratipay asking for more information about the user than seems necessary, and failing to create a Gratipay account unless the user yields that information.

(For my sins, I still have some accounts with some of those proprietary SaaSS platforms, that I have not yet deleted/abandoned. That was how I was able to discover this issue.)

Here are examples.

OpenStreetMap

The application Gratipay is requesting access to your account [...]. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like.

Allow the client application to:

[ ] read your user preferences.

[Grant access]

There is no reason why Gratipay should have access to my OpenStreetMap user preferences. It shouldn't even be requesting them. Naturally, I uncheck the "read your user preferences" checkbox. However, when I then click the "Grant access" button, I receive the message, "You have denied application Gratipay access to your account."

Result: fail

Google

Gratipay would like to:

• Know who you are on Google. (This app is requesting permission to associate you with your public Google profile.)
• Know the list of people in your circles, your age range, and language. (View the list of people you've connected to on Google+. View your age range, and language.)
• View your email address. (View the email address associated with your account.)

By clicking Allow, you allow this app and Google to use your information in accordance with their respective terms of service and privacy policies. You can change this and other Account Permissions at any time.

[Deny] [Allow]

OK, I certainly don't see any reason why Gratipay should know whether I have any people in my "circles" nor, if so, who they are. Likewise my age range. Likewise whatever language settings I might use for Google (after all, what if I want to use Google in one language, and Gratipay in another?). I'm a bit unclear about what a "public Google profile" is, but I don't really see any need for Gratipay to access it, regardless, at least for account creation. Unfortunately, there is no option to uncheck any of these permissions, so the only option here is to click "Deny".

Result: fail

GitHub

Gratipay by @gratipay would like permission to access your account

Review permissions

Organizations and teams

Read-only access

This application will be able to read your organization and team membership.

[Authorize application]

This is less intrusive than the two examples above, but I still don't see any good reason for Gratipay to be granted access to that information in order to simply create a Gratipay account. Similarly to the Google example above, there is no option to uncheck that permission, so the only option here is to hit the browser's "Back" button.

Result: fail

Twitter

Authorize Gratipay to use your account?

This application will be able to:

• Read Tweets from your timeline.
• See who you follow.

Will not be able to:

• Follow new people.
• Update your profile.
• Post Tweets for you.
• Access your direct messages.
• See your Twitter password.

[Authorize app] [Cancel]

So, even if a user's tweets or follow list are protected (i.e. not public), Gratipay wants to see them? Whoa, not cool. Again, no option to uncheck these permissions, so hitting "Cancel" is the only reasonable option.

Result: fail

Ramifications

The issue described here might be a reason why people decide not to join Gratipay.

Recommendations

I suggest these possible solutions:

1. Fix drop social authentication #3837; or
2. Fix the Gratipay codebase such that it requests only the absolute minimum of information available from external OAuth or other authentication providers: enough to authenticate, and no more. No "friends in your circles" or other creepy stuff.

Thanks!

[Changaco]

The code only asks for permissions it needs, just not when it needs them, see #2854. For OpenStreetMap and Twitter there is no lower level of access that could be used.

[ghost]

On the Google+ authorization page, I was able to uncheck all the Circles of the list.

[chadwhitacre]

We added OpenStreetMap specifically to assuage free software activists (#1503). I'm closing this as a duplicate of #1052 (rather than #3837, since adding email is the part of #3837 which would address the stated problem, and we don't need to drop social in order to add email).

As @Changaco points out, we're already as tight as possible for Twitter and OpenStreetMap (hence the error message you saw when trying to tighten further: "You have denied ..."). I've reticketed limiting our Google scopes as #4087, since @Nashe seems to indicate that we're not as tight as we could be there.

[ghost]

I don't know if we can reduce the scope, but a least it seems that the user can choose what to expose ;-)

[ghost]

@Nashe

On the Google+ authorization page, I was able to uncheck all the Circles of the list. [It] seems that the user can choose what to expose

I don't use Google+, but using the "Google" option from the Gratipay "sign in" drop down menu, the behaviour is exactly as I described above. I am not presented with a mechanism to choose which items to grant Gratipay access to.

Maybe Google+ users are shown a different page, with different options?

[ghost]

@whit537

I'm closing this as a duplicate of #1052 (rather than #3837, since adding email is the part of #3837 which would address the stated problem [...])

That seems fair. Thanks.

As @Changaco points out, we're already as tight as possible for Twitter and OpenStreetMap (hence the error message you saw when trying to tighten further: "You have denied ...").

I can only take your word for this, as I don't have experience of implementing OAuth/etc against those services myself. Still, from a user perspective, it is an unwelcome surprise to be asked to grant Gratipay access to more information than seems necessary.

To resolve this, perhaps Gratipay should manage the user's expectations in some way, e.g. by stating on the OAuth page, "Sorry to have to ask for this access. These are the minimum permissions that the authentication provider requires us to ask for in order to use their authentication service." Or words to that effect.

I've reticketed limiting our Google scopes as #4087, since @Nashe seems to indicate that we're not as tight as we could be there.

Thanks again :)

[chadwhitacre]

Let's please discuss Google+ on #4087.